Apparently ThreatFire is still suffering from this problem:
http://www.pctools.com/forum/showthread.php?t=48569

I need an example to see this.

thanks

Sent via email.

Did TF prompt you to reboot?

Yes.

Another strange, possibly-related observation is that my copy of the Sandboxie driver (latest version) refuses to load after rebooting.

I just tried your sample, and we cleaned up everything. I will try again on a different system.

About Sandboxie, will investigate it.

Does TF block the creation of netservice.exe on your system, or does it quarantine netservice.exe only after flagging its behavior?

It does not stop the creation it denies netservice.exe from injecting data, then quarantines it, along with quite a few other things.

I fixed the Sandboxie driver by reinstalling it, then tried the trojan again. Sandboxie didn't get disabled after the reboot this time, for some reason.

If the first prompt ("copy itself to multiple locations") wasn't meant to refer to the action of the trojan creating netservice.exe, then I guess I've misunderstood the situation. In which case TF would be functioning perfectly, and yes, it cleaned up netservice.exe on my system as well afterwards.

The rules that fired for me was data injected. The explanation might be what you mentioned. However the rule fired and "followed" what was happening, and traced all spawned processes and files.

You can see the paths actually via the "i" icon in the Quarantined list.

This is how it is designed for the time being anyway. :-)